Brussels, 5 February 2010
Safer standards for European citizens' data transfers to processors in third countries
The European Commission has adopted today a Decision updating the standard contractual clauses for the transfer of personal data to processors established in non-EU countries. The Decision modifies current standard contractual clauses to take account of the expansion of processing activities and new business models for international processing of personal data. It contains specific provision to allow, under certain conditions, the outsourcing of processing activities to sub-processors, while ensuring a constant protection of personal data.
Vice-President Jacques Barrot said " This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing. The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens' personal data ".
The "controller to processo r" standard contractual clauses were approved by Commission Decision 2002/16/EC, in order to provide companies with a tool which ensures adequate protection for personal data when they transfer personal data to processors outside the EU/EEA. The Decision adopted today takes account of he recommendations included in the Report on the implementation of Decisions on standard contractual clauses and proposals by different stakeholders 1 . According to the newly adopted Decision, where a data importer ( processor ) intends to subcontract any of its processing operations performed on behalf of the EU data exporter ( controller ), it must first obtain the prior written consent of the data exporter. The written contract will impose the same obligations on the sub-processor as those imposed on the data importer under the standard contractual clauses. Where the sub-processor fails to fulfil its data protection obligations, the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations. Moreover the sub-processing shall only consist of the processing operations agreed in the initial contract entered into by the data EU exporter and the data importer. Existing contracts, concluded under clauses approved by Decision 2002/16/EC, shall remain in force as long as the transfers and data processing operations remain unchanged. If the parties to the contract wish to make changes to the contract or wish to introduce sub processing arrangements, they will be required to enter into a new contract, which shall comply with the updated version of the contractual clauses. National Data Protection Authorities may also authorise other ‘ad hoc’ contractual arrangements for international data transfers, as long as they assume that such contracts provide sufficient safeguards for the protection of the fundamental rights and freedoms and the right to privacy in particular. Contractual clauses are not necessary for the transfer of personal data within the EEA (European Economic Area – EU plus Iceland, Norway and Liechtenstein), to those countries whose own data protection regimes have been recognised by the Commission as offering adequate protection 2 or to US companies adhering to the 'Safe Harbour' Privacy Principles issued by the US Department of Commerce (see IP/00/865 and IP/02/46 ).
SEC(2006)95, 20.1.2006. http://ec.europa.eu/justice_home/fsj/privacy/docs/modelcontracts/sec_2006_95_en.pdf
Argentina, Switzerland, Canada, Isle of Man, Jersey and Guernsey.